In case you were wondering about the Statement on Auditing Standards No. 70, otherwise known as SAS (News - Alert) 70, it "defines the standards an auditor must employ in order to assess the contracted internal controls of a service organization," according to an overview published on SearchCIO.

Originally, it was developed by the American Institute of Certified Public Accountants as a simplification of a set of criteria for auditing standards originally defined in 1988, and classifies auditor reports as either Type I or Type II.

As the SAS 70 site itself notes, "SAS No. 70 is generally applicable when an independent auditor is planning the financial statement audit of an entity that obtains services from another organization. Service organizations that impact a user organization's system of internal controls could be application service providers, bank trust departments, claims processing centers, data centers, third party administrators, or other data processing service bureaus."

In a Type I report, as the SearchCIO account notes, "the auditor evaluates the efforts of a service organization at the time of audit to prevent accounting inconsistencies, errors and misrepresentation. A Type II report includes the same information as that contained in a Type I report," and "the auditor attempts to determine the effectiveness of agreed-on controls since their implementation.

NDB Accountants and Consultants explain that Type II audits "include an examination of controls that have been placed in operation and testing of operating effectiveness. Testing of controls is required for Type II audits, with a minimum testing period of at least six months."

A Type II report is issued after a generally accepted period has been completed, NDB says, adding that  "for example, an accounting firm would examine a company's controls from June 1, 2007 to Nov.  30, 2007 and report on the 'controls placed in operations and tests of operating effectiveness' for the six-month test period of the audit."

As an example, Host.net's (News - Alert) renewed SAS 70 Type II certification followed a comprehensive evaluation of the company's physical security, environmental security, network monitoring, problem escalation and support by SAS 70 Solutions, the largest U.S.-based audit firm specializing in SAS 70 audit services, according to company officials.

Up-to-date security assurance is imperative for companies selecting a colocation provider. Furthermore, it is essential to know that the provider meets strict standards covering everything from the physical building itself to network and power redundancy, 24/7 monitoring and support, according to Roger Barranco, chief technology officer and vice president of operations for Host.net.

"The fact that we have achieved these certifications - and in fact renewed our SAS 70 Type II certification, which many providers fail to do - demonstrate that our clients' equipment and information assets are safe," he said.